1  info:
 2    name: langchain
 3    cve: CVE-2025-6984
 4    summary: Langchain Community is vulnerable to XML External Entity (XXE) attacks due to insecure XML parsing in the EverNoteLoader component.
 5    details: |
 6      The `langchain-ai/langchain` project, specifically the `EverNoteLoader` component, is vulnerable to XML External Entity (XXE) attacks. This vulnerability arises from the use of `etree.iterparse()` without disabling external entity references, which can lead to sensitive information disclosure. An attacker could exploit this by crafting a malicious XML payload that references local files, potentially exposing sensitive data such as `/etc/passwd`.
 7    cvss: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 8    severity: HIGH
 9    security_advise: |
10      1. Upgrade `langchain-community` to version `0.3.27` or later.
11      2. Ensure that XML parsers are configured to disable external entity resolution.
12  rule: version > "0" && version < "0.3.27"
13  references:
14    - https://nvd.nist.gov/vuln/detail/CVE-2025-6984
15    - https://github.com/langchain-ai/langchain-community/commit/e842452108089524e22c3a2ced851c021884556f
16    - https://github.com/langchain-ai/langchain-community
17    - https://github.com/langchain-ai/langchain/blob/d79b5813a0b3b243c612b77013768995e46c4337/libs/langchain/langchain/document_loaders/evernote.py#L1-L23
18    - https://huntr.com/bounties/a6b521cf-258c-41c0-9edb-d8ef976abb2a